Cyber Resilience

CWE · MITRE source

CWE-345Insufficient Verification of Data Authenticity

Abstraction: Class · CVEs in our corpus: 611

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Last updated: 04 July 2026 08:17 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 39 mapping(s) from 10 framework(s): ATT&CK 16 (mostly) · CAPEC 12 (partial) · STIG oracle linux 8 2 (mostly) · STIG rhel 7 2 (mostly) · STIG rhel 8 2 (mostly) · CSF 2.0 1 (mostly) · ASVS 5.0 1 (mostly) · STIG oracle linux 9 1 (mostly) · STIG rhel 9 1 (mostly) · OWASP-Web 1 (mostly)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A08:2025 Software or Data Integrity Failures.

NIST 800-53 r5 controls that address this weakness (9)AI

Showing the 7 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SC-17Public Key Infrastructure CertificatesSCUse of approved PKI certificates provides verifiable data authenticity and origin for communications and artifacts.
SC-20Secure Name/Address Resolution Service (Authoritative Source)SCMandates provision of authenticity and integrity artifacts that enable verification of name/address resolution data.
SC-21Secure Name/Address Resolution Service (Recursive or Caching Resolver)SCRequires explicit verification of data authenticity from authoritative sources, preventing acceptance of unauthenticated resolution responses.
SR-4ProvenanceSRProvenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.
SR-9Tamper Resistance and DetectionSRThe control implements verification mechanisms that detect tampering by ensuring data authenticity.
PT-8Computer Matching RequirementsPTDirectly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.
SI-7Software, Firmware, and Information IntegritySIMandates verification of data authenticity for software, firmware, and information.
Show 2 more broadly-applicable controls
SC-33Transmission Preparation IntegritySCControl requires verification of data authenticity/integrity (e.g., checksums) after aggregation/packing, directly reducing exploitation of insufficient verification before transmission.
SC-45System Time SynchronizationSCTime synchronization supports reliable freshness verification when checking data authenticity across systems or components.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2022-26871 KEV10.09.80.19632022-03-29
CVE-2023-38831 KEV10.07.80.97802023-08-23
CVE-2016-45538.08.60.79972016-05-10
CVE-2015-68537.09.10.01502016-03-24
CVE-2015-68547.09.10.01502016-03-24
CVE-2017-31987.09.80.01602018-07-09
CVE-2015-39567.09.80.00952019-03-25
CVE-2018-199717.09.80.03032019-04-16
CVE-2019-112357.09.80.03572019-04-22
CVE-2019-66957.09.80.00772019-08-23
CVE-2019-188357.09.80.00862019-11-08
CVE-2019-22897.09.80.00612019-11-21
CVE-2013-21677.09.80.01702019-12-10
CVE-2019-56137.09.80.00582020-02-18
CVE-2016-10000047.09.80.00682020-02-19
CVE-2019-125107.09.10.00712020-02-24
CVE-2019-51617.09.10.02512020-03-11
CVE-2019-205307.09.80.00422020-03-24
CVE-2020-74877.09.80.00672020-04-22
CVE-2020-91417.09.10.00362021-01-13
CVE-2020-265477.09.80.00552021-02-01
CVE-2020-289007.09.80.02362021-05-24
CVE-2021-374217.09.80.02492021-08-30
CVE-2020-246727.09.80.00542021-09-08
CVE-2021-436167.09.00.02532021-11-13